Pyftpdlib

=================================

**Enhancements**

- 72: pyftpdlib now provides configurable idle timeouts to disconnect client
after a long time of inactivity.
- 73: imposed a delay before replying for invalid credentials to minimize the
risk of brute force password guessing (RFC-1123).
- 74: it is now possible to define permission exceptions for certain
directories (e.g. creating a user which does not have write permission
except for one sub-directory in FTP root).
- : Improved bandwidth throttling capabilities of demo/throttled_ftpd.py
script by having used the new CallLater class which drastically reduces
the number of time.time() calls.

**Bug fixes**

- 62: some unit tests were failing on certain dual core machines.
- 71: socket handles are leaked when a data transfer is in progress and user
QUITs.
- 75: orphaned file was left behind in case STOU failed for insufficient user
permissions.
- 77: incorrect OOB data management on FreeBSD.

=================================

**Enhancements**

- 65: It is now possible to assume the id of real users when using system
dependent authorizers.
- 67: added IPv6 support.

**Bug fixes**

- 64: Issue when authenticating as anonymous user when using UNIX and Windows
authorizers.
- 66: WinNTAuthorizer does not determine the real user home directory.
- 69: DummyAuthorizer incorrectly uses class attribute instead of instance
attribute for user_table dictionary.
- 70: a wrong NOOP response code was given.

=================================

**Enhancements**

- 42: implemented FEAT command (RFC-2389).
- 48: real permissions, owner, and group for files on UNIX platforms are now
provided when processing LIST command.
- 51: added the new demo/throttled_ftpd.py script.
- 52: implemented MLST and MLSD commands (RFC-3659).
- 58: implemented OPTS command (RFC-2389).
- 59: iterators are now used for calculating requests requiring long time to
complete (LIST and MLSD commands) drastically increasing the daemon
scalability when dealing with many connected clients.
- 61: extended the set of assignable user permissions.

**Bug fixes**

- 41: an unhandled exception occurred on QUIT if user was not yet
authenticated.
- 43: hidden the server identifier returned in STAT response.
- 44: a wrong response code was given on PORT in case of failed connection
attempt.
- 45: a wrong response code was given on HELP if the provided argument wasn't
recognized as valid command.
- 46: a wrong response code was given on PASV in case of unauthorized FXP
connection attempt.
- 47: can't use FTPServer.max_cons option on Python 2.3.
- 49: a "550 No such file or directory" was returned when LISTing a directory
containing a broken symbolic link.
- 50: DTPHandler class did not respect what specified in ac_out_buffer_size
attribute.
- 53: received strings having trailing white spaces was erroneously stripped.
- 54: LIST/NLST/STAT outputs are now sorted by file name.
- 55: path traversal vulnerability in case of symbolic links escaping user's
home directory.
- 56: can't rename broken symbolic links.
- 57: invoking LIST/NLST over a symbolic link which points to a direoctory
shouldn't list its content.
- 60: an unhandled IndexError exception error was raised in case of certain
bad formatted PORT requests.

=================================

**Major enhancements**

- 5: it is now possible to set a maximum number of connections and a maximum
number of connections from the same IP address.
- 36: added support for FXP site-to-site transfer.
- 39: added NAT/Firewall support with PASV (passive) mode connections.
- 40: it is now possible to set a range of ports to use for passive
connections.

**RFC-related enhancements**

- 6: accept TYPE AN and TYPE L8 as synonyms for TYPE ASCII and TYPE Binary.
- 7: a new USER command can now be entered at any point to begin the login
sequence again.
- 10: HELP command arguments are now accepted.
- 12: 554 error response is now returned on RETR/STOR if RESTart fails.
- 15: STAT used with an argument now returns directory LISTing over the
command channel (RFC-959).

**Security Enhancements**

- 3: stop buffering when extremely long lines are received over the command
channel.
- 11: data connection is now rejected in case a privileged port is specified
in PORT command.
- 25: limited the number of attempts to find a unique filename when
processing STOU command.

**Usability enhancements**

- : Provided an overridable attribute to easily set number of maximum login
attempts before disconnecting.
- : Docstrings are now provided for almost every method and function.
- 30: HELP response now includes the command syntax.
- 31: a compact list of recognized commands is now provided on HELP.
- 32: a detailed error message response is not returned to client in
case the transfer is interrupted for some unexpected reason.
- 38: write access can now be optionally granted for anonymous user.

**Test suite enhancements**

- File creation/removal moved into setUp and tearDown methods to avoid
leaving behind orphaned temporary files in the event of a test suite
failure.
- 7: added test case for USER provided while already authenticated.
- 7: added test case for REIN while a transfer is in progress.
- 28: added ABOR tests.

**Bug fixes**

- 4: socket's "reuse_address" feature was used after the socket's binding.
- 8: STOU string response didn't follow RFC-1123 specifications.
- 9: corrected path traversal vulnerability affecting file-system path
translations.
- 14: a wrong response code was returned on CDUP.
- 17: SIZE is now rejected for not regular files.
- 18: a wrong ABOR response code type was returned.
- 19: watch for STOU preceded by REST which makes no sense.
- 20: "attempted login" counter wasn't incremented on wrong username.
- 21: STAT wasn't permitted if user wasn't authenticated yet.
- 22: corrected memory leaks occurring on KeyboardInterrupt/SIGTERM.
- 23: PASS wasn't rejected when user was already authenticated.
- 24: Implemented a workaround over os.strerror() for those systems where it
is not available (Python CE).
- 24: problem occurred on Windows when using '\\' as user's home directory.
- 26: select() in now used by default instead of poll() because of a bug
inherited from asyncore.
- 33: some FTPHandler class attributes wasn't resetted on REIN.
- 35: watch for APPE preceded by REST which makes no sense.

=================================

- Port selection on PASV command has been randomized to prevent a remote user
to guess how many data connections are in progress on the server.
- Fixed bug in demo/unix_ftpd.py script.
- ftp_server.serve_forever now automatically re-use address if current system
is posix.
- License changed to MIT.

=================================

- First proof of concept beta release.